Vulnerability disclosed pwds of all Barracuda Network Employees

Jul 25, 2013, 11:30 am EST

The cyber security Analyst @Qcert Ebrahim Hegazy(@Zigoo0) has found a Password disclosure vulnerability in one of Barracuda update servers which allows the attackers to gain access to all its employee data.

When the system administrator needs to protect a directory with a second authentication layer (basic authentication) besides the back-end authentication,  he can do it with multiple methods, one of that methods is through the configuration of  .htaccess and .htpasswd files. A proper configuration could  prevent a visitor to surf reserved area (e.g /Cpanel or /admin), in this scenario a popup  proposes to the user asking to enter authentication credentials, that credentials are saved inside .htpasswd file as:

Username:Password

In normal scenarios the .htpasswd file should be stored outside the web directory (e.g. C:AnyName.htpasswd)
But in Barracuda issue the file was stored inside the admin panel directory and was accessible by anyone with serious repercussion.

If the user directly accesses the following link

http://updates.cudasvc.com/admin/.htpasswd

he will be able to disclose the passwords of all Barracuda Network Employees such as:
Support, Sales, UK Branch employees, Update server users, Engineers and more of those who have access to the basic authentication layer!

The Password disclosure vulnerability is exacerbated by the fact that the passwords were saved as a clear text, following the screen shots before the vulnerability got patched

403

403 -2

htpass

The vulnerability has been reported by Ebrahim Hegazy to Barracuda that already fixed it, despite it is not eligible for the bounty. Curious that Barracuda considered “Password disclosure vulnerability” out of scope vulnerability; IMHO I consider it a critical flaw.  Ebrahim Hegazy (https://twitter.com/Zigoo0) has found and reported the vulnerability to Barracuda as a participant in the Barracuda bug bounty program.

I consider Ebrahim Hegazy a very skilled professional that is doing an excellent job in security field, let’s remind that in the last months he already discovered flaws in DropBoxAvira web site and Yahoo! … What is the next?

What will happen is those smart guys will start to sell the knowledge of vulnerabilities in the underground?

(Source: CDM, Pierluigi Paganini, Editor and Chief )

July 25, 2013

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Global InfoSec Awards for 2024 are now Open! Take advantage of co-marketing packages and enter today!

X